Security News
Feross on TBPN: How North Korea Hijacked Axios
Socket CEO Feross Aboukhadijeh breaks down how North Korea hijacked Axios and what it means for the future of software supply chain security.
By Sarah Gooding - Apr 08, 2026
New Research: Supply Chain Attack on Axios Pulls Malicious Dependency from npm.Details → →
SecureSync
Intelligent dependency security scanner with auto-fix capabilities. SecureSync goes beyond traditional vulnerability scanners by analyzing breaking changes, generating migration scripts, running tests, and finding secure alternatives to abandoned packages.
Features
- Vulnerability Detection: Scan npm, Python, Go, and Rust dependencies for CVEs
- Breaking Change Analysis: Detect API changes before updating dependencies
- Smart Remediation: Generate migration scripts for breaking API changes
- Alternative Finder: Identify secure replacements for abandoned packages
- Test-Driven Updates: Run tests before/after updates, rollback on failure
- Fast Scanning: Dependency graph analysis in < 5 seconds for medium projects
- CI/CD Integration: GitHub Actions, GitLab CI, Jenkins plugins ready
- Interactive CLI: Beautiful terminal UI with progress indicators
- Programmatic API: Use as library in other tools
Installation
npm install -g securesync
Or use with npx:
npx securesync scan
Quick Start
Scan for Vulnerabilities
securesync scan
Auto-Fix Vulnerabilities
securesync fix
Analyze Breaking Changes
securesync analyze lodash 4.17.20 4.17.21
Find Alternative Packages
securesync alternatives moment
Generate Migration Scripts
securesync migrate react 17.0.0 18.0.0
CLI Usage
Scan Command
Scan your project for security vulnerabilities:
securesync scan [path]
Options:
-d, --dev Include dev dependencies
-r, --reachability Analyze vulnerability reachability
--enhance Enhance with additional vulnerability databases
--fail-on <severity> Exit with error if vulnerabilities found (low|moderate|high|critical)
--json Output results as JSON
Fix Command
Automatically fix vulnerabilities:
securesync fix [path]
Options:
--auto Automatically apply fixes without prompts
--no-test Skip running tests
--max-severity <level> Only fix up to this severity (default: critical)
--breaking-changes <action> Handle breaking changes (skip|warn|allow)
Analyze Command
Analyze breaking changes for a package update:
securesync analyze <package> <from-version> <to-version>
Options:
--json Output results as JSON
Alternatives Command
Find alternative packages:
securesync alternatives <package>
Options:
--min-downloads <number> Minimum weekly downloads
--max-age <days> Maximum days since last publish
--min-stars <number> Minimum GitHub stars
--zero-vulns Only show packages with zero vulnerabilities
--min-compat <number> Minimum API compatibility score (0-100)
--json Output results as JSON
Migrate Command
Generate migration scripts:
securesync migrate <package> <to-version>
Options:
-p, --path <path> Project path (default: cwd)
--from <version> Current version (auto-detected if not provided)
--output <path> Output directory for migration scripts
--json Output as JSON
Programmatic API
Use SecureSync in your own tools:
import { SecureSync } from 'securesync';
const scanner = new SecureSync({
projectPath: process.cwd(),
autoFix: true,
testBeforeUpdate: true,
});
// Scan for vulnerabilities
const results = await scanner.scan();
console.log(`Found ${results.vulnerabilities.length} vulnerabilities`);
// Auto-fix with test verification
const fixes = await scanner.fix({
maxSeverity: 'moderate',
breakingChanges: 'warn',
});
console.log(`Fixed ${fixes.packagesUpdated} packages`);
// Find alternatives
const alternatives = await scanner.findAlternatives('lodash');
console.log('Top alternatives:', alternatives.slice(0, 3));
// Visualize dependency graph
const graph = await scanner.visualizeDependencies({
format: 'tree',
highlightVulnerabilities: true,
});
console.log(graph);
API Reference
SecureSync Class
class SecureSync {
constructor(options: SecureSyncOptions);
scan(options?: ScanOptions): Promise<ScanResult>;
analyzeBreakingChanges(pkg: string, from: string, to: string): Promise<BreakingChangeAnalysis>;
generateMigrations(pkg: string, changes: BreakingChangeAnalysis): Promise<Migration[]>;
fix(options?: FixOptions): Promise<FixReport>;
findAlternatives(pkg: string, criteria?: SearchCriteria): Promise<Alternative[]>;
visualizeDependencies(options?: VisualizationOptions): Promise<string>;
getDependencyGraph(): Promise<DependencyGraph>;
}
Standalone Functions
// Scanner
import { scanNpmProject } from 'securesync';
const results = await scanNpmProject('/path/to/project');
// Analyzer
import { analyzeBreakingChanges } from 'securesync';
const analysis = await analyzeBreakingChanges('lodash', '4.17.20', '4.17.21');
// Remediation
import { generateMigration, testDrivenUpdate } from 'securesync';
const migrations = await generateMigration('/path', 'lodash', changes);
const result = await testDrivenUpdate('/path', 'lodash', '4.17.21', migrations);
// Alternatives
import { findAlternatives } from 'securesync';
const alternatives = await findAlternatives('moment');
// Graph
import { buildGraph, visualize } from 'securesync';
const graph = buildGraph(dependencyTree);
const output = visualize(graph, { format: 'tree' });
CI/CD Integration
GitHub Actions
name: Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- run: npx securesync scan --fail-on high
- run: npx securesync fix --auto
GitLab CI
security_scan:
script:
- npx securesync scan --fail-on high
- npx securesync fix --auto
Configuration
Create a .securesyncrc.json file in your project root:
{
"autoFix": false,
"testBeforeUpdate": true,
"createBackup": true,
"maxSeverity": "moderate",
"breakingChanges": "warn",
"excludePackages": ["package-to-ignore"],
"includeDevDependencies": false
}
Examples
Example 1: Scan and Report
import { scanNpmProject } from 'securesync';
const results = await scanNpmProject('./my-project');
console.log('Vulnerability Summary:');
console.log(` Critical: ${results.summary.critical}`);
console.log(` High: ${results.summary.high}`);
console.log(` Moderate: ${results.summary.moderate}`);
console.log(` Low: ${results.summary.low}`);
for (const vuln of results.vulnerabilities) {
console.log(`\n${vuln.id}: ${vuln.package}@${vuln.version}`);
console.log(` Severity: ${vuln.severity}`);
console.log(` Patched in: ${vuln.patched.join(', ')}`);
}
Example 2: Safe Update with Rollback
import { SecureSync } from 'securesync';
const sync = new SecureSync({
projectPath: './my-project',
testBeforeUpdate: true,
createBackup: true,
});
const report = await sync.fix({
maxSeverity: 'high',
breakingChanges: 'skip',
dryRun: false,
});
if (report.packagesFailed > 0) {
console.error('Some packages failed to update:');
for (const result of report.results) {
if (!result.success) {
console.error(` ${result.package}: ${result.reason}`);
if (result.rolledBack) {
console.error(' (rolled back)');
}
}
}
}
Example 3: Find and Migrate to Alternative
import { findAlternatives } from 'securesync';
const alternatives = await findAlternatives('moment', {
zeroVulnerabilities: true,
minDownloads: 100000,
minCompatibility: 70,
});
console.log('Best alternatives to moment:');
for (const alt of alternatives.slice(0, 3)) {
console.log(`\n${alt.name} (score: ${alt.score}/100)`);
console.log(` Downloads: ${alt.downloads}/week`);
console.log(` Migration effort: ${alt.migrationEffort}`);
console.log(` Compatibility: ${alt.compatibility}%`);
}
Development
Build
npm run build
Test
npm test
Type Check
npm run type-check
License
MIT
Contributing
Contributions are welcome! Please read our contributing guidelines and code of conduct.
Support
- GitHub Issues: https://github.com/yourusername/securesync/issues
- Documentation: https://securesync.dev/docs
Acknowledgments
SecureSync builds upon the excellent work of:
- npm audit
- Snyk
- OSV (Open Source Vulnerabilities)
- NIST NVD
Made with care for the open source community.
FAQs
Intelligent dependency security scanner with auto-fix
We found that securesync demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 17 Nov 2025
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Attackers Are Impersonating a Linux Foundation Leader in Slack to Target Open Source Developers
OpenSSF has issued a high-severity advisory warning open source developers of an active Slack-based campaign using impersonation to deliver malware.
By Sarah Gooding - Apr 08, 2026
Research
/Security News
North Korea’s Contagious Interview Campaign Spreads Across 5 Ecosystems, Delivering Staged RAT Payloads
Malicious packages published to npm, PyPI, Go Modules, crates.io, and Packagist impersonate developer tooling to fetch staged malware, steal credentials and wallets, and enable remote access.
By Kirill Boychenko - Apr 07, 2026